Troubleshooting problem issues
Help to explore your knowledge
April 16, 2016
Migrate File Server from Server 2003 to 2008R2 or 2012 with Robocopy(with ntfs permissions)
Option 1
:- You can either use the Microsoft FSMT tool, or you can use Robocopy (more powerful).All robocopy operations are incremental in nature. Which means that only new files/folders, or files that have changed will be copied. Obviously when you perform a robocopy operation for the first time, all folders and files are new on the destination server.
Initial copy of data
Lets assume the 2003 file server’s name is 2003FS, while the 2008 R2 file server’s name is 2008R2FS. And we are going to move two folders, named Finance and General, on the D-drive of the old server to the D-Drive of the new server. Then the syntax for copying data would be as following (the command will obviously be ran at the destination server)
robocopy \\2003FS\d$\Finance D:\Finance /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\robocopylog\finance.log /V /NP
robocopy \\2003FS\d$\General D:\General /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\robocopylog\General.log /V /NP
The switches are explained as such:
/E :: copy subdirectories, including Empty ones.
/ZB :: use restartable mode; if access denied use Backup mode.
/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
(copyflags : D=Data, A=Attributes, T=Timestamps).
(S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.
/LOG:file :: output status to LOG file (overwrite existing log).
/V :: produce Verbose output, showing skipped files.
/NP :: No Progress – don’t display percentage copied.
Copy data for the final time
robocopy \\2003FS\d$\Finance D:\Finance /e /zb /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP
robocopy \\2003FS\d$\General D:\General /e /zb /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP
have included the /mir switch here
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).
In other words, /mir will do the same as /e and /purge
/PURGE :: delete dest files/dirs that no longer exist in source.
Keep in mind, it will only delete files/dirs at the destination, NOT at the source. Some people believe, for some strange reason, that files at the source are deleted as well. That is NOT the case.
Synchronizing NTFS permissions and other file related properties only
If you forget to include the /copy:DATSOU or /copyall option for whatever reason, and now are looking for a switch on how to synchronize the NTFS permissions, or other file related properties, then you can use the /secfix option
/SECFIX :: FIX file SECurity on all files, even skipped files.
When using the /SECFIX copy option, specify the type of security information you want to copy by also using one of these additional copy options: /COPYALL /COPY:O /COPY:S /COPY:U /SEC
The following example synchronizes file security information for the Finance folder we copied from the 2003FS server earlier
robocopy \\2003FS\D$\Finance D:\Finance /secfix /copy:SOU /r:3 /w:3 /log:c:\robocopylog\SecFix\Finance.log /V /NP
Remember this will only synchronize file security information between the source and the destination, it will not copy any files. To completely synchronize data and file security information, use the following command
robocopy \\2003FS\D$\Finance D:\Finance /e /zb /secfix /copy:DATSOU /mir /r:3 /w:3 /log:c:\robocopylog\FinalMirror\Finance.log /v /NP
The /MT option
[:n] :: Do multi-threaded copies with n threads (default 8). n must be at least 1 and not greater than 128.
This option is incompatible with the /IPG and /EFSRAW options
Simply put, it will make the copy operation go faster, but use it with caution, if you define too many threads, you will saturate the network card of your server, or saturate the bandwidth of your network. Personally I rarely use this switch.
Caveat to copying in two phases
There is a small caveat to copying data in two phases. If someone changes only security information of a file/folder between phase 1 and phase 2, but not the content, that file/folder will be skipped during the copy process in phase 2, therefore the new NTFS permissions on the file will not be copied either.
The chances for someone to change only NTFS permissions on a file/folder between phase 1 and phase 2 might not be big, but they are certainly there. So if you know that might happen, you can use the /secfix option at phase 2 to copy NTFS permissions on files/folders, regardless of whether the file/folder has already been copied in phase 1 or not. The command you would use, is the final command in step 4 of this post.
how to retain share names and permissions.
Basically you need to do this;
1.Export this registry key“HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares” on the old Server
2. Import it on the new server
3. Restart the new server
KB from Microsoft http://support.microsoft.com/kb/125996
/ZB :: use restartable mode; if access denied use Backup mode.
/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
(copyflags : D=Data, A=Attributes, T=Timestamps).
(S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
/W:n :: Wait time between retries: default is 30 seconds.
/V :: produce Verbose output, showing skipped files.
/NP :: No Progress – don’t display percentage copied.
This option is incompatible with the /IPG and /EFSRAW options
2. Import it on the new server
3. Restart the new server
Using Group Policy Preferences to Map Drives Based on Group Membership
A common request we hear is how to automatically connect specific network shares to drive letters based on group membership. Mapping network drives based on group membership requires some programming knowledge– either VBScript or command shell (batch files). VBScript based logon scripts can require hundreds of lines of code to provided a complete solution. And batch files require the assistance of helper applications such as IFMEMBER.EXE and NET.EXE, and introduce many challenges with controlling how Windows processes the script. But Group Policy Preferences removes the programming requirement and awkwardness of scripting mapped drives based on group membership. There are many scenarios in which you may want to map a local drive letter to a specific network share to include public drive mappings, inclusive group drive mappings, and exclusive group drive mappings.
Public drive mappings typically do not require membership to a particular group. However, sometimes public drive mappings do not provide enough granularity. Most organizations have data specific to business units such as accounting, marketing, or human resources.. Inclusive Group Drive mappings solve this problem by allowing a configuration that maps a specific drive letter to a specific network share based on the user being a member of a particular group. This ensures members of the accounting unit receive drive letters mapped for accounting and members of human resources map their respective drives. Exclusive drive mappings are not very common; however, they do provide the flexibility to prevent a user from mapping a particular drive letter to a network share if they are not a member of a specific group. A good example of exclusive drive mappings is to prevent the CIO or other executives members from mapping a drive letter in which they are likely to never use. Let us take a closer look at these scenarios
Public drive mappings
Producing a Group Policy Preference item to create public drive mappings is simple. The GPO containing the preference item is typically linked to higher containers in Active Directory, such as a the domain or a parent organizational unit.
Configuring the drive map preference item.
Figure 1 Configuring mapped drive preference item
Newly created Group Policy objects apply to all authenticated users. The drive map preference items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the preference item and link the GPO. We start by configuring the drive map preference item by choosing the Action of the item. Drive map actions include Create, Replace, Update, and Delete. These are the actions commonly found in most preference items. Create and Delete actions are self-explanatory. The compelling difference between Replace and Update is that Replace deletes the mapped drive and then creates a new mapped drive with the configured settings. Update does NOT delete the mapped drive– it only modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to determine if a specific drive exists. The preceding image shows a Drive Map preference item configure with the Replace action. The configured location is a network share named data; hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other options are left at their defaults. This GPO is linked at the contoso.com domain.
The results of this configuration are seen when using Windows Explorer on the client computer. The following picture shows a user’s view of Windows Explorer. We see there is one network location listed here, which is the G drive that is mapped to \\hq-con-srv-01\data.
Figure 2 Public drive map client view
Later, we’ll see how to use exclusive drive mappings with public drive mappings as a way to exclude public drive mappings from a subset of users.
Inclusive drive mapping
Inclusive drive mappings are drives mapped to a user who is a member of (or included) in a specific security group. The most common use for inclusive drive maps is to map remote data shares in common with a specific sub set of users, such as accounting, marketing , or human resources. Configuring an inclusively mapped drive is the same as a public drive mappings, but includes one additional step. The following image shows us configuring the first part of an inclusive drive mapping preference item.
Figure 3 Inclusive drive mapping
Configuring the first part of an inclusive drive mapping preference item does not make it inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting to ensure the drive mapping items works only for users who are members of the group. We can configure item level targeting by clicking the Targeting button, which is located on the Common tab of the drive mapping item. The targeting editor provides over 20 different types of targeting items. We’re specifically using the Security Group targeting item.
Figure 4 Security group targeting item
Using the Browse button allows us to pick a specific group in which to target the drive mapping preference item. Security Group targeting items accomplishes its targeting by comparing security identifiers of the specified group against the list of security identifiers with the security principal’s (user or computer) token. Therefore, always use the Browse button when selecting a group; typing the group name does not resolve the name to a security identifier.
Figure 5 Configured inclusive security group targeting item
The preceding screen shows a properly configured, inclusive targeting item. A properly configured security group targeting item shows bothGroup and SID fields. The Group field is strictly for administrative use (we humans recognize names better than numbers). The SID field is used by the client side extension to determine group membership. We can determine this is an inclusive targeting item because of the text that represents the item within the list. The word is in the text “the user is a member of the security group CONTOSO\Management.” Our new drive map item and the associated inclusive targeting item are now configured. We can now link the hosting Group Policy object to the domain with confidence that only members of the Management security group receive the drive mapping. We can see the result on a client. The following image shows manager Mike Nash’s desktop from a Windows Vista computer. We can see that Mike receives two drive mappings: the public drive mapping (G: drive) and the management drive mapping (M: drive).
Figure 6 Client view of inclusive drive mapping
Exclusive drive mapping
The last scenario discussed is exclusive drive mapping. Exclusive drive mappings produce the opposite results of an inclusive drive mapping; that is, the drive map does NOT occur if the user is a member of the specified group. This becomes usefully when you need to make exceptions to prevent specific drives from mapping. Let’s add an exclusive drive mapping to our public drive mapping to prevent specific members of management from receiving the public drive mapping.
Figure 7 Configured exclusive drive mapping
The preceding image shows the changes we made to the public drive mapping (from the first scenario). We’ve added a Security Group targeting item to the existing public drive mapping preference item. However, the targeting item applies only if the user IS NOT a member of the ExcludePublicDrives group. We change this option using the Items Options list. The client view of manager Monica Brink shows the results of applying Group Policy.
Figure 8 Client view of exclusive drive mapping
This client applies two Group Policy objects; each containing a drive mapping preference item. One item contains our public drive mapping with an exclusive security group targeting item. The other GPO contains the management drive mapping with an inclusive security group targeting item. The client processes the public drive mapping GPO; however, the exclusive targeting item verifies that Monica is a member of the ExcludePublicDrives group. Monica is also a member of the Management group. Therefore, Monica’s group memberships prevent her from receiving the public drive mapping and include her in receiving the management drive mapping.
Summary
Drive mapping preference items do not require any scripting knowledge and are easy to use. Leveraging targeting items with drive mapping items increases the power in which to manage drive mapping to users and computers. Public drive mappings are typically linked at higher levels in the domain and generally apply to a large subset (if not all) users. Inclusive drive mappings associate as specific subset of data with a specific group of people, often times mapping to logical divisions within an organization such as accounting, marketing, or human resources. Exclusive drive mappings invert the principals of inclusive drive mappings. The user must not be a member of the specified group for the drive mapping to occur.
Best practices
Be sure to link GPOs high enough in Active Directory so the scope of the drive mapping effects the largest group of user accounts. Obviously, not every GPO should be linked at the domain; however, if there is an accounting organizational unit with three child OUs– then linking at the Accounting OU effects that largest amount of users. Allow your inclusive and exclusive targeting item to do the bulk of your work. GPOs hosting inclusive drive mappings are best used when the number of user needing the drive mapping are fewer than the number who do not. Exclusive drive mappings are best used when the number of user not requiring the drive mapping are fewer than the number that do. These rules help prevent users from becoming members of too many groups and increasing the cost of managing drive mappings within the organization.
October 9, 2015
How to enable BitLocker on Windows Server 2012 R2
Thanks to the improvements of virtualization and storage technologies, it’s not difficult to clone a disk. A great advantage for disaster recovery, but also a potential risk for the security of your information.
Microsoft allows to encrypt the disks of a server with a feature named BitLocker. We are going to see how you can enable BitLocker on a physical or virtual server to protect your company from data theft.
Install the BitLocker Drive Encryption feature with the Add Roles and Features Wizard:
You need to restart the system after the installation:
How to enable BitLocker on a virtual machine (without TPM)
You need the Trusted Platform Module (TPM) in order to take advantage of BitLocker encryption. Virtual machines don’t have the TPM module so you need to follow these two steps BEFORE configuring BitLocker (BitLocker must be installed on the server).
Open the Local Group Policy Editor (gpedit.msc) and go to
Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
. Double-clickRequire additional authentication at startup:
Select Enable and check Allow BitLocker without a compatibile TPM:
After a restart, open the Control Panel, you’ll find the BitLocker configuration panel. Open it and clickTurn On BitLocker:
In this tutorial we used a VM, so a system without a TPM, and Windows aks us to configure an additional authentication at startup. We chose a password to protect the data, but we suggest to use a USB flash drive instead. With a flash drive you don’t have to enter the password at every server restart, just leave the USB drive plugged and you’ll be fine:
A recovery key can save you from big troubles. We printed it for security reasons:
Choose the encryption mode more suited for your disks:
Click Continue:
Restart the system:
At the next boot you’ll be “forced” to enter the password or plug the USB flash drive. After the Windows start BitLocker will begin the encryption process:
How to enable Roaming Profiles on Windows Server 2012 R2
Roaming Profiles allow users of an Active Directory Domain to access their desktop and documents from any PC of the domain.
It’s a powerful feature that can improve the productivity of the employees and make their lives easier.
The best thing about Roaming Profiles is how they are easy to set up.
Before configuring a Roaming Profile, we need to create a Share. Open the Server Manager and go to the Shares tab:
Create a new Share:
Click Next:
Specify the path of the Roaming Profiles. Add a $ to the end of the path to make the shared folder invisible:
Click Next:
Enable access-based Enumeration (for better security):
Now it’s time to customize the permissions. We need to allow the access to Domain Users (or another Group). Click Customize permissions:
Click Add:
Select the group (Domain Users in our example) and apply the permissions to This folder only. You need to enable List folders / read data and Create folders / append data:
Confirm and the share will be created:
Now the final step. Open the Active Directory Users and Computers panel:
Open the Properties of a user and go to the Profile tab. Specify the Profile Path:
\\server_name\profile_folder_name\%username%
Mission accomplished! Your first Roaming Profile is enabled and active. To create other Roaming Profiles use the copy functionalities or manually specify the Profile Path.
You can also create a policy to automate the process.
Subscribe to:
Posts (Atom)